As a service organization there are many ways to provide assurance to your customers and in turn other stakeholders over your control environment. One of the most effective and cost-efficient ways is to issue a Service Organization Control (SOC) Report.
What is Service Organization Controls (SOC) reports?
The marketplace has become much more informed in recent years when it comes to SOC reporting and the tangible benefits of such. It is seen as best practice to provide/obtain a SOC report as part of a risk management and oversight regime and in many cases is now a pre-requisite in securing and deploying client solutions.
SOC reports in effect provide a transparent and cost-effective means for assuring internal control accountability and for addressing multiple stakeholder assurance demands.
We would recommend that service organizations have an open discussion with their user organizations in order to understand exactly why a certain SOC report is being requested. This information will inform the question as to which SOC report or reports are appropriate to the needs of user organization’s and others.
SOC reports report under two primary best practice standards; SSAE 18 and ISAE 3000.
SOC 1 reports provide a vehicle for reporting on a service organisation’s systems of internal controls that are relevant to a user organisation’s internal controls over financial reporting and are intended to be auditor to auditor communications.
At a high level the following are the basic elements of a SOC 1 report:
- an independent service auditor’s report
- management’s assertion letter
- a description of the system
- a section containing the service auditor’s tests of the operating effectiveness of controls and the related test results (Type II report only).
Additional information provided by the service organisation, but not covered by the service auditor’s opinion, may also be included within a SOC 1 report.
SOC 2 reports offer service auditors and service organisations a reporting option they can use when the subject matter is not relevant to controls over financial reporting.
The SOC 2 report addresses controls at a service organisation that are pertinent to the joint American Institute of Certified Public Accountants (AICPA) – Canadian Institute of Chartered Accountants (CICA) Trust Services Criteria (TSC). These TSC cover five categories - security, availability, processing integrity, confidentiality and privacy.
In a SOC 2 report, management identifies one or more TSC categories that it believes it has achieved and the criteria upon which it will base its assertion of achievement. While SOC 2 reports are intended for user organisation management, other stakeholders (eg, business partners, customers) along with regulators, may also benefit from the information contained within a SOC 2 report. The structure of the report includes many of the same elements as a SOC 1 report but is more prescriptive than a SOC 1 when it comes to control scoping under the TSC regime.
Like SOC 2 reports, SOC 3 reports allow service organisations to provide user organisations and other stakeholders with a report on controls that are relevant to security, availability, processing integrity, confidentiality and privacy.
Unlike SOC 1 and SOC 2 reports, SOC 3 reports do not include a description of the system or the detailed description of the tests of controls and related test results.
Unlike the other two types, SOC 3 reports are short-form, publicly available documents and tend to be aimed at the un-informed user. SOC 3 reports can be freely distributed or posted on service organisations’ websites with a seal.
Deciding how the three types of SOC reports will best meet the varying needs of different audiences and cover different subject matter can be challenging. As your service auditor, Grant Thornton can assist you with all your SOC requirements. For instance, determining which SOC report or reports are appropriate, may mean for some organisations that the answer is contrary to the type of report the organisation obtained in the past.
Additionally, in instances where obtaining multiple reports might satisfy the organisation’s various needs, the level of effort needed to obtain more than one report will vary based on the specific scope and coverage of the report. If controls overlap, we can leverage the work from one audit for another and the necessary work will only be incremental.
Grant Thornton are happy to clarify these options for you. This will ensure that you have a full appreciation for the subject matter and in turn that you have chosen the best fit report/reports for your specific needs.
Understanding your third party reporting options will go a long way toward providing your clients and their auditors with the information they require, instilling confidence in the services that you provide and delivering brand enhancing and commercial reward for your business.